8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
Size

448KB
MD5

f036661c2cb817454eeaf7454f4998fd
SHA1

81f0c1bd132fe070aa1029d4b2ad35e2f358cfff
SHA256

8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715
SHA512

ac165d58de05be277967b5dad4b20c9982df69b769fcbe093311e5c33365dc7ced8041daef62935ece525b17df3b366fee0539720c2a97dc8a8169383b865798
SSDEEP

6144:/X9/4SxPCth3AxiLUmKyIxLDXXoq9FJZCUmKyIxL:Vg4PC/w832XXf9Do3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Pnbojmmp.exeAdnpkjde.exeBoogmgkl.exe8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exePojecajj.exeBkhhhd32.exeBqijljfd.exePhqmgg32.exeAakjdo32.exeApedah32.exeAbmgjo32.exeCbppnbhm.exeCkhdggom.exeCaifjn32.exeCkmnbg32.exeAebmjo32.exeQkfocaki.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apedah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abmgjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apedah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aebmjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qkfocaki.exe

Executes dropped EXE 17 IoCs

Processes:

Phqmgg32.exePojecajj.exePnbojmmp.exeQkfocaki.exeApedah32.exeAebmjo32.exeAakjdo32.exeAbmgjo32.exeAdnpkjde.exeBkhhhd32.exeBqijljfd.exeBoogmgkl.exeCbppnbhm.exeCkhdggom.exeCkmnbg32.exeCaifjn32.exeDpapaj32.exe

pid	process
3040	Phqmgg32.exe
2636	Pojecajj.exe
3068	Pnbojmmp.exe
2940	Qkfocaki.exe
2928	Apedah32.exe
2292	Aebmjo32.exe
2620	Aakjdo32.exe
2600	Abmgjo32.exe
824	Adnpkjde.exe
2356	Bkhhhd32.exe
2332	Bqijljfd.exe
2764	Boogmgkl.exe
2196	Cbppnbhm.exe
2876	Ckhdggom.exe
2780	Ckmnbg32.exe
892	Caifjn32.exe
1744	Dpapaj32.exe

Loads dropped DLL 37 IoCs

Processes:

8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exePhqmgg32.exePojecajj.exePnbojmmp.exeQkfocaki.exeApedah32.exeAebmjo32.exeAakjdo32.exeAbmgjo32.exeAdnpkjde.exeBkhhhd32.exeBqijljfd.exeBoogmgkl.exeCbppnbhm.exeCkhdggom.exeCkmnbg32.exeCaifjn32.exeWerFault.exe

pid	process
1612	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
1612	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
3040	Phqmgg32.exe
3040	Phqmgg32.exe
2636	Pojecajj.exe
2636	Pojecajj.exe
3068	Pnbojmmp.exe
3068	Pnbojmmp.exe
2940	Qkfocaki.exe
2940	Qkfocaki.exe
2928	Apedah32.exe
2928	Apedah32.exe
2292	Aebmjo32.exe
2292	Aebmjo32.exe
2620	Aakjdo32.exe
2620	Aakjdo32.exe
2600	Abmgjo32.exe
2600	Abmgjo32.exe
824	Adnpkjde.exe
824	Adnpkjde.exe
2356	Bkhhhd32.exe
2356	Bkhhhd32.exe
2332	Bqijljfd.exe
2332	Bqijljfd.exe
2764	Boogmgkl.exe
2764	Boogmgkl.exe
2196	Cbppnbhm.exe
2196	Cbppnbhm.exe
2876	Ckhdggom.exe
2876	Ckhdggom.exe
2780	Ckmnbg32.exe
2780	Ckmnbg32.exe
892	Caifjn32.exe
892	Caifjn32.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe

Drops file in System32 directory 53 IoCs

Processes:

Boogmgkl.exeCkmnbg32.exePhqmgg32.exeQkfocaki.exeAdnpkjde.exePnbojmmp.exeCbppnbhm.exeAakjdo32.exeCkhdggom.exe8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exeApedah32.exeAbmgjo32.exePojecajj.exeBkhhhd32.exeBqijljfd.exeCaifjn32.exeAebmjo32.exeDpapaj32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Hmdeje32.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Pojecajj.exe	Phqmgg32.exe
File created	C:\Windows\SysWOW64\Apedah32.exe	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Mqdkghnj.dll	Pnbojmmp.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Abmgjo32.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Qkfocaki.exe	Pnbojmmp.exe
File created	C:\Windows\SysWOW64\Cpqmndme.dll	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Cfibop32.dll	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
File created	C:\Windows\SysWOW64\Aebmjo32.exe	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Pnbojmmp.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bkhhhd32.exe
File opened for modification	C:\Windows\SysWOW64\Pnbojmmp.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Kbfcnc32.dll	Pojecajj.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Aebfidim.dll	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Phqmgg32.exe	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Abmgjo32.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Qkfocaki.exe	Pnbojmmp.exe
File created	C:\Windows\SysWOW64\Bbjclbek.dll	Aebmjo32.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Abmgjo32.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bqijljfd.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Cbppnbhm.exe
File opened for modification	C:\Windows\SysWOW64\Apedah32.exe	Qkfocaki.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Aakjdo32.exe	Aebmjo32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	Abmgjo32.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Cbppnbhm.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Pojecajj.exe	Phqmgg32.exe
File opened for modification	C:\Windows\SysWOW64\Aebmjo32.exe	Apedah32.exe
File created	C:\Windows\SysWOW64\Khpjqgjc.dll	Apedah32.exe
File opened for modification	C:\Windows\SysWOW64\Cbppnbhm.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Kmgbdm32.dll	Phqmgg32.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Phqmgg32.exe	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
File opened for modification	C:\Windows\SysWOW64\Aakjdo32.exe	Aebmjo32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1532 1744 WerFault.exe Dpapaj32.exe

pid	pid_target	process	target process
1532	1744	WerFault.exe	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Adnpkjde.exeCaifjn32.exePnbojmmp.exeAakjdo32.exeApedah32.exeAbmgjo32.exe8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exePhqmgg32.exeBqijljfd.exeBoogmgkl.exeQkfocaki.exeAebmjo32.exeCbppnbhm.exeCkhdggom.exeCkmnbg32.exeDpapaj32.exePojecajj.exeBkhhhd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnbojmmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apedah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abmgjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phqmgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfocaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebmjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbppnbhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe

Modifies registry class 54 IoCs

Processes:

Pnbojmmp.exeCbppnbhm.exeBoogmgkl.exePhqmgg32.exeQkfocaki.exeApedah32.exeBkhhhd32.exeAakjdo32.exeBqijljfd.exe8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exePojecajj.exeAbmgjo32.exeAebmjo32.exeCkmnbg32.exeAdnpkjde.exeCaifjn32.exeCkhdggom.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnbojmmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbppnbhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qkfocaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkghnj.dll"	Pnbojmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abmgjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll"	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll"	Aebmjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qkfocaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Cbppnbhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aebfidim.dll"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Phqmgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfcnc32.dll"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfibop32.dll"	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpjqgjc.dll"	Apedah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abmgjo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1612 wrote to memory of 3040	1612	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe	Phqmgg32.exe
PID 1612 wrote to memory of 3040	1612	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe	Phqmgg32.exe
PID 1612 wrote to memory of 3040	1612	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe	Phqmgg32.exe
PID 1612 wrote to memory of 3040	1612	8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe	Phqmgg32.exe
PID 3040 wrote to memory of 2636	3040	Phqmgg32.exe	Pojecajj.exe
PID 3040 wrote to memory of 2636	3040	Phqmgg32.exe	Pojecajj.exe
PID 3040 wrote to memory of 2636	3040	Phqmgg32.exe	Pojecajj.exe
PID 3040 wrote to memory of 2636	3040	Phqmgg32.exe	Pojecajj.exe
PID 2636 wrote to memory of 3068	2636	Pojecajj.exe	Pnbojmmp.exe
PID 2636 wrote to memory of 3068	2636	Pojecajj.exe	Pnbojmmp.exe
PID 2636 wrote to memory of 3068	2636	Pojecajj.exe	Pnbojmmp.exe
PID 2636 wrote to memory of 3068	2636	Pojecajj.exe	Pnbojmmp.exe
PID 3068 wrote to memory of 2940	3068	Pnbojmmp.exe	Qkfocaki.exe
PID 3068 wrote to memory of 2940	3068	Pnbojmmp.exe	Qkfocaki.exe
PID 3068 wrote to memory of 2940	3068	Pnbojmmp.exe	Qkfocaki.exe
PID 3068 wrote to memory of 2940	3068	Pnbojmmp.exe	Qkfocaki.exe
PID 2940 wrote to memory of 2928	2940	Qkfocaki.exe	Apedah32.exe
PID 2940 wrote to memory of 2928	2940	Qkfocaki.exe	Apedah32.exe
PID 2940 wrote to memory of 2928	2940	Qkfocaki.exe	Apedah32.exe
PID 2940 wrote to memory of 2928	2940	Qkfocaki.exe	Apedah32.exe
PID 2928 wrote to memory of 2292	2928	Apedah32.exe	Aebmjo32.exe
PID 2928 wrote to memory of 2292	2928	Apedah32.exe	Aebmjo32.exe
PID 2928 wrote to memory of 2292	2928	Apedah32.exe	Aebmjo32.exe
PID 2928 wrote to memory of 2292	2928	Apedah32.exe	Aebmjo32.exe
PID 2292 wrote to memory of 2620	2292	Aebmjo32.exe	Aakjdo32.exe
PID 2292 wrote to memory of 2620	2292	Aebmjo32.exe	Aakjdo32.exe
PID 2292 wrote to memory of 2620	2292	Aebmjo32.exe	Aakjdo32.exe
PID 2292 wrote to memory of 2620	2292	Aebmjo32.exe	Aakjdo32.exe
PID 2620 wrote to memory of 2600	2620	Aakjdo32.exe	Abmgjo32.exe
PID 2620 wrote to memory of 2600	2620	Aakjdo32.exe	Abmgjo32.exe
PID 2620 wrote to memory of 2600	2620	Aakjdo32.exe	Abmgjo32.exe
PID 2620 wrote to memory of 2600	2620	Aakjdo32.exe	Abmgjo32.exe
PID 2600 wrote to memory of 824	2600	Abmgjo32.exe	Adnpkjde.exe
PID 2600 wrote to memory of 824	2600	Abmgjo32.exe	Adnpkjde.exe
PID 2600 wrote to memory of 824	2600	Abmgjo32.exe	Adnpkjde.exe
PID 2600 wrote to memory of 824	2600	Abmgjo32.exe	Adnpkjde.exe
PID 824 wrote to memory of 2356	824	Adnpkjde.exe	Bkhhhd32.exe
PID 824 wrote to memory of 2356	824	Adnpkjde.exe	Bkhhhd32.exe
PID 824 wrote to memory of 2356	824	Adnpkjde.exe	Bkhhhd32.exe
PID 824 wrote to memory of 2356	824	Adnpkjde.exe	Bkhhhd32.exe
PID 2356 wrote to memory of 2332	2356	Bkhhhd32.exe	Bqijljfd.exe
PID 2356 wrote to memory of 2332	2356	Bkhhhd32.exe	Bqijljfd.exe
PID 2356 wrote to memory of 2332	2356	Bkhhhd32.exe	Bqijljfd.exe
PID 2356 wrote to memory of 2332	2356	Bkhhhd32.exe	Bqijljfd.exe
PID 2332 wrote to memory of 2764	2332	Bqijljfd.exe	Boogmgkl.exe
PID 2332 wrote to memory of 2764	2332	Bqijljfd.exe	Boogmgkl.exe
PID 2332 wrote to memory of 2764	2332	Bqijljfd.exe	Boogmgkl.exe
PID 2332 wrote to memory of 2764	2332	Bqijljfd.exe	Boogmgkl.exe
PID 2764 wrote to memory of 2196	2764	Boogmgkl.exe	Cbppnbhm.exe
PID 2764 wrote to memory of 2196	2764	Boogmgkl.exe	Cbppnbhm.exe
PID 2764 wrote to memory of 2196	2764	Boogmgkl.exe	Cbppnbhm.exe
PID 2764 wrote to memory of 2196	2764	Boogmgkl.exe	Cbppnbhm.exe
PID 2196 wrote to memory of 2876	2196	Cbppnbhm.exe	Ckhdggom.exe
PID 2196 wrote to memory of 2876	2196	Cbppnbhm.exe	Ckhdggom.exe
PID 2196 wrote to memory of 2876	2196	Cbppnbhm.exe	Ckhdggom.exe
PID 2196 wrote to memory of 2876	2196	Cbppnbhm.exe	Ckhdggom.exe
PID 2876 wrote to memory of 2780	2876	Ckhdggom.exe	Ckmnbg32.exe
PID 2876 wrote to memory of 2780	2876	Ckhdggom.exe	Ckmnbg32.exe
PID 2876 wrote to memory of 2780	2876	Ckhdggom.exe	Ckmnbg32.exe
PID 2876 wrote to memory of 2780	2876	Ckhdggom.exe	Ckmnbg32.exe
PID 2780 wrote to memory of 892	2780	Ckmnbg32.exe	Caifjn32.exe
PID 2780 wrote to memory of 892	2780	Ckmnbg32.exe	Caifjn32.exe
PID 2780 wrote to memory of 892	2780	Ckmnbg32.exe	Caifjn32.exe
PID 2780 wrote to memory of 892	2780	Ckmnbg32.exe	Caifjn32.exe

C:\Users\Admin\AppData\Local\Temp\8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe
"C:\Users\Admin\AppData\Local\Temp\8752f7253a458fbd4108ea7795fc184e0bef73f16889693f5f63daad46516715.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\Phqmgg32.exe
  C:\Windows\system32\Phqmgg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\Pojecajj.exe
    C:\Windows\system32\Pojecajj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\Pnbojmmp.exe
      C:\Windows\system32\Pnbojmmp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\Qkfocaki.exe
        
        C:\Windows\system32\Qkfocaki.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\SysWOW64\Apedah32.exe
        
        C:\Windows\system32\Apedah32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Aebmjo32.exe
        
        C:\Windows\system32\Aebmjo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Abmgjo32.exe
        
        C:\Windows\system32\Abmgjo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Bkhhhd32.exe
        
        C:\Windows\system32\Bkhhhd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Cbppnbhm.exe
        
        C:\Windows\system32\Cbppnbhm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 144
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aebmjo32.exe

Filesize
448KB

MD5
db0c0c422e2982d6c7ebbcd1895f8a43

SHA1
1621263cec821ea71a54d28253801d46a9f9a9c1

SHA256
0feda337284702dd8f3004aa5818804d0dbfd703ae52c344ab2d6663669203a1

SHA512
5503c58e19b5664c42560c0ce5ca18973379f5ccd801107c7d5983736ba43e9a59fd768a56ce4cd0414800f95931e64d5f64f4bbf5f18216bb78ca9a33766e50

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
448KB

MD5
6caa7aeec99356d4e3d130a70065ebc1

SHA1
08e82be400d313dec4f53de41269a86064e8c09a

SHA256
80fd3f41014ddfacc35f5134ee0292cad1b6d057c61319d76a6d8fcc9e439a03

SHA512
74c67804f49d89ee0faa8e2581cb8eeb1748d2f128ab5f8b9288d46cc4decc20d5711a26d0aac1fd7bb62fc99e2730431f1a10b8100f46e136b2585590258ade

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
448KB

MD5
80f81d888d6439b18665929fdc8bfcf6

SHA1
e17664f2c916395a186101e440034ec589c5f3e1

SHA256
3aaa62d786ccadc599411ba5c52dcf1d89776edd519899d4b73c77329269d0cc

SHA512
9c0eca16f904ec434c863f2b04195cca27ddd969d37ddf413f9aadd6d1d30fdbafd7eafd10b55e749fafa3bc9d64ee6d1bb085fa818d0d60bc4adc32102c5cbd

Download Submit
C:\Windows\SysWOW64\Cpqmndme.dll

Filesize
7KB

MD5
e062dacf9e38cd4f03d5520d1ff6feed

SHA1
38bbfefb2a444a22c609185344f7cf1795b32bdd

SHA256
54781493fd682a3e1b73da397f5e5f6ed34a393491be211841858166b6d5e825

SHA512
cbeca2b0bbc4e54596fe371c560b0fa83356ec629d0794b47540d038c233897b17f917b8234756b9febdfb338ede01e993f21695d828adc1934f3f8ddc2cc2ba

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
448KB

MD5
05f5f05e9fbb21d172bc940a85553257

SHA1
6c22f176727fc5677b2bed418d4641a743bf7c31

SHA256
828846af6ec20881b6cc5cd3e16b475fbc779bd3d0196f0bc938a24418023d22

SHA512
af50ecccde69fc63b40c059c0d49cc82d90b049b217bb685b4c61f9ec7a6e9f6b51a2906c8dc87a3a28eb41b52f90fae17303971814e0cad48fc06b9392a0e8f

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
448KB

MD5
186ff91c2be883c479729e2265088b7b

SHA1
9ac7030b807d2b83c0366c5338a4cb41226e1263

SHA256
680f8d07a20c405ea2d2a307b057ddc37dddceeb66ac25027be55353348dc20a

SHA512
7de7ff1d25e0b2b2ce03fc4899b13ade673513cab3a7cbe23040be207b80fa93b308a0b076dce56a939b928f3454381fe806d677f2d0096ad44d1d8ef1418fee

Download Submit
C:\Windows\SysWOW64\Qkfocaki.exe

Filesize
448KB

MD5
34c0193fed78edc146c3685bfe0745cc

SHA1
536e65bd257702a71328a5f0c9a7c3e108a21dc8

SHA256
884397682c458d8f490fe408e1cb805d687a5f5b1f453c0707f1d0a09ef887d7

SHA512
dadd06af82f704593f739e079ecb2b0f2eac31a1cafc5409740918b25b497210cac45dad185e49e1a187ea88775cccb554b8c59bcd2736feb9e30a4e922694aa

Download Submit
\Windows\SysWOW64\Aakjdo32.exe

Filesize
448KB

MD5
d17ca7db625a10166a508342b211f9f1

SHA1
497c39b84f78d0b3070de6be2e886a9fe889e386

SHA256
15875a3fd58e3083fe93ac6bd6004d4c49c73dcdf8a7a623d089a43599ea6513

SHA512
c3c69998d9159eb490321487439495d1bb4fd4aee112fdb2b12c6fd3f5b69427979763d7cbc7fe8b14833d44f13c0cd02a535cd170ebbc6e8ce1777cfebc2aa8

Download Submit
\Windows\SysWOW64\Abmgjo32.exe

Filesize
448KB

MD5
bfecbe7134e73dc1ac896a6cd8adc9c4

SHA1
a04bc93622093525b23b0714affe9c87b327db93

SHA256
2da5781506efc1d8548e1fbe54abe6c0de0640469d61870b964ea04736099cf3

SHA512
5a319fb79ce5373e4b671cf54ed43af239e31ac9e47ae81f0329410fd387dd2c4b10527be1c159e3809dd86fc724c1091d466951671e9d3ccd00f0743c19e494

Download Submit
\Windows\SysWOW64\Adnpkjde.exe

Filesize
448KB

MD5
0bf7be2920e0a6f1c5a0c726aea237ff

SHA1
6a21e991944bcab613a76f77494550905ab3cf4f

SHA256
dbafc285d9ab9f77d440d141aa1bcdee0febc4c72510e3932398aca261b158d3

SHA512
bb3c7cb08ed820cd29938cd0f0636fd7f8fc5b099820d5fbb340945d8c2dcead691bdc97fde40daa98bab23654c9792856520e0f4f7e728ef00f315e4bcc3f8b

Download Submit
\Windows\SysWOW64\Apedah32.exe

Filesize
448KB

MD5
4962a90e597ffaf2fe655ca81f485137

SHA1
665a2ba953e810064530304334ebd67c079d620e

SHA256
d4f2edff750186c1ec07d1e8afd60ea0b7593d9df3788aa75a679b2c1f80d4b4

SHA512
2cc9ccc9e094daaafb9bcdd35bafcb43af6a1308372c8b1a844142bac2adb715151eb46ed583ac352443adab2ec504e78899fe215d8efb19a20edb47daf2028b

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
448KB

MD5
d5a900a2c32fb943c05d9e931e4fba33

SHA1
abb3de75c2b2e864a1a9361eb4cb720ccf4666d1

SHA256
33dc7d62e0a03ebcff9ad7f07adfdf60663c16c23bb887e6965d2567ffeb3dda

SHA512
8bfa7d8cd1a7d2a0c73d80f44ed6e08309423b9ab756d8d7020a440c52eab190ec7b0a26d246a2d0123d5a279e1d0b0f3293504a48c9ef9a3935e2dd0dd31a38

Download Submit
\Windows\SysWOW64\Bqijljfd.exe

Filesize
448KB

MD5
970622c36e60b2c14b1e8089f4d0f122

SHA1
96f3cf63ac4ac812ff1bf13eb0e00a18e6bbfd91

SHA256
16f5d721093e561d16d4812312c40777a10c7fc1f103bfd5bc3e8b8f71d097f0

SHA512
c570dc9b58d6b0dc47a5918d1144aa5dbd63d84406118315c09f6cfe245dbb01d4e18b4506b9793880fcb40e92e27d543a3ba0d776e0dc75b5b402b3be41d98a

Download Submit
\Windows\SysWOW64\Cbppnbhm.exe

Filesize
448KB

MD5
0961be543eab741626029e325bcbd9f5

SHA1
1dd7420f8303fbfc305f6a9f769bec2dc4af8522

SHA256
51f05cf2f3c1bfd09eda1f92d98875c2c53c3765ac0514aa88886cf08e4b9835

SHA512
2dbd95330f36daa30443ce9802db4549c930db247cbd6bc996c54545db3216f0da21472d72955bc038ab452e09a97be436dbf8d75e2ea06d30ef5a488baf8531

Download Submit
\Windows\SysWOW64\Ckhdggom.exe

Filesize
448KB

MD5
96165f0133c3d04d26e79a3022eaee2d

SHA1
0d059a7a159fb331f85a95e01d9f957e1398920e

SHA256
3182284252d74350bb349d0c968c256fd5ad7112fe4d00d79c5fbbe61bcd454c

SHA512
4631f449231b688afb11716d0702f2e3addcac46e217f2b6c87de1ca07190aa4d70ea12012149beff0bb6e70d0f6dcc2b57ce88c497d9fedcc8a069632c70662

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
448KB

MD5
ee208c3cae3be8de23440533750edd92

SHA1
e811d91d9610d6211835d54392f337181aa81ea5

SHA256
eadcba78d3df801bc4a4348ccfba13994318be6a61430a0da763a1c82461478f

SHA512
0e84d8e2eacdd2c7dacc201cb9389a89dee1268326fc136c962c33843984c6c7a2b7c9753a5ce51e0d0dfdbc149399f997eaa503ab06d352da8a9a98001e7b79

Download Submit
\Windows\SysWOW64\Phqmgg32.exe

Filesize
448KB

MD5
7452097ac977ce8733c32e1beeddae06

SHA1
fd6ad8183a60272f152ff7e08b54402098dac547

SHA256
fb6ee5c24f120905f52bc2cd854b6830999312eeef5af985cc065ecedeea3d10

SHA512
04afd0f3f7d02cf281c992ce99f011870585eaf6cfdbddd3d2e00c00a49ac6105bf748b7d60649dd61f553e9bcf915f255ea007ac1657c741b4de1db098ce31b

Download Submit
\Windows\SysWOW64\Pnbojmmp.exe

Filesize
448KB

MD5
26dbbf9b7bb19f2844689edf6b1972ff

SHA1
cafd495061589c03018d054879854e164b3b36d0

SHA256
a7b8a84a7349c336c837ab1da2ed62fbd7846661408e46743f6ecb79ac09e5fd

SHA512
6983d8558e7ce8a3690b605057c93cbfc1d1ae0b128b8d4c576fdbc6e33ca2be7d5043fa969d3ba902b1053f213805a1955a7dabe811d83059b4b3bf4ecdcb7b

Download Submit
memory/824-259-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/824-132-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/824-140-0x00000000002D0000-0x0000000000330000-memory.dmp

Filesize
384KB

Download
memory/892-229-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/892-236-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/892-240-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/892-250-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1612-271-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1612-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1612-269-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1612-12-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1612-14-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/1744-241-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1744-278-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2196-186-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2196-198-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2196-193-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2196-251-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2292-263-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2292-93-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/2292-85-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2292-261-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2332-156-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2332-168-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2332-254-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2356-149-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2356-142-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2356-255-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-113-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-126-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2600-258-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-125-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2600-256-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2620-262-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2620-260-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2620-99-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2620-111-0x00000000002E0000-0x0000000000340000-memory.dmp

Filesize
384KB

Download
memory/2636-36-0x0000000000290000-0x00000000002F0000-memory.dmp

Filesize
384KB

Download
memory/2636-275-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2636-29-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2764-177-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2764-279-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2764-170-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2764-183-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/2780-227-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download
memory/2780-246-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2780-219-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2876-200-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2876-247-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2876-213-0x0000000002060000-0x00000000020C0000-memory.dmp

Filesize
384KB

Download
memory/2876-207-0x0000000002060000-0x00000000020C0000-memory.dmp

Filesize
384KB

Download
memory/2928-71-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2928-83-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2928-274-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2940-57-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2940-264-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2940-266-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2940-65-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/3040-268-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3040-27-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/3040-270-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3040-26-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/3040-13-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3068-267-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3068-265-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3068-43-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3068-55-0x0000000000250000-0x00000000002B0000-memory.dmp

Filesize
384KB

Download